Following a series of attacks over the past year that leveraged zero-day exploits against on-premises versions of Microsoft Exchange servers, a new tool aims to provide emergency mitigation.
While Microsoft patched the three sets of “Proxy” flaws that first emerged in March, installing security updates proved difficult for a significant number of customers. To allow enterprises more time to apply available security updates, Microsoft released the Emergency Mitigation (EM) service for Exchange Sever on Tuesday.
Originally announced on Friday as a new component of the Exchange On-premises Mitigation Tool (EOMT), which was released in March, EM is part of the September 2021 cumulative update (CU) for the email platform. With the release, Microsoft said only the June 2021 and September 2021 CUs are supported for Exchange security updates.
“After the release of the March SUs, we learned that many of our customers weren’t ready to install them because they were not running a supported CU,” Microsoft said in a blog post. “Based on our customer engagements, we realized that there was a need for a simple, easy to use, automated solution that could help customers quickly protect their on-premises Exchange servers, especially those who did not have dedicated security or IT teams to apply critical updates.”
The new feature works with the cloud-based Office Config Service. It will be deployed automatically as an interim fix to address any high-risk bugs that have known mitigations, giving companies more time to apply available patches.
In the blog post, Microsoft referred to securing and updating on-premises infrastructures including Exchange Servers as a “continuous process.” That may prove more difficult for companies with fewer IT resources, particularly when threat actors continually take advantage of unpatched servers as they did with the Proxy flaws.
Exchange Server under attack
Beginning in March, Microsoft disclosed and released patches for several zero-day vulnerabilities impacting the email platform that had been exploited in the wild weeks earlier.
Of the four flaws, ProxyLogon was the most critical because it allowed an attacker to bypass authentication and impersonate the administrator. Chained together with the other zero-day flaws, it produced an remote code execution exploit.
Prior to disclosure, the exploit was used by a Chinese nation-state threat group; later, it was used by cybercriminals and ransomware gangs, as Microsoft and other security researchers observed an “increase in attacks” against the email platform. However, the threat against government and private sectors, ranging from small to medium sized businesses, did not stop there.
Attacks on ProxyShell, which includes a trio of flaws that are chained and remotely exploited, began this summer. All three ProxyShell vulnerabilities were patched in April. However, as of August, tens of thousands of Exchange Servers remained vulnerable to both Proxy flaws. An alert issued the same month by the Cybersecurity and Infrastructure Security Agency warned that ProxyShell flaws were being actively exploited and highlighted the ongoing danger.
A third Proxy flaw was discovered later that month, dubbed ProxyToken. While it received a lower severity rating on the Common Vulnerability Scoring System (CVSS) than its predecessors, it was categorized as an authentication bypass vulnerability.
With three major exploits looming for Exchange servers, and some organizations being slow to patch, Microsoft took matters into its own hands. Because future updates can be released at any time in response to growing threats, Microsoft set the EM service to check for mitigations hourly.
“If Microsoft learns about the security threat and we create a mitigation for the issue, that mitigation can be sent directly to the Exchange server, which would automatically implement the pre-configured settings,” the blog said.
Though it is automatically applied, companies can choose to turn off the service. Additionally, it is only a temporary fix to minimize the attack surface.
That attack surface for Exchange Server appears to be growing. Just earlier this month, Symantec warned of pre-ransomware activity targeting Exchange Servers. Threat actors, who may be attributed to the Conti ransomware gang, attempted to install “legitimate remote control software” and tools on the networks of U.S. sectors including healthcare.